Account Permissions

The following is a list of all the permissions the service account running the Gatekeeper requires:

Permission	Scope
Local administrator	Gatekeeper computer
Service Connection Point	Gatekeeper computer
Create and Delete	classStore objects beneath user objects
Read	userAccountControl attribute on user objects msDS-User-Account-Control-Computed attribute on user objects displayName attribute on user objects mail attribute on user objects manager attribute on user objects mobile attribute on user objects objectGUID attribute on user objects sAMAccountName attribute on user objects userAccountControl attribute on user objects
Change and Reset Password	User objects
Unlock account	User objects
Change password at next logon	User objects
List child objects	User objects
Write*	Mobile attribute on user objects

Note

*This allows users to enroll by entering their mobile number, not already set in Active Directory by the administrator.